Module schnorr_fun::share_backup

source ·
Expand description

bech32m secret share backup scheme Backup scheme for Shamir Secret Shares

§Description

Based on https://bips.xyz/93

§Backup format (bech32 chars)

human readable: “frost” // (4) separator: “1” // (1) threshold: [u5; 2], // (2) identifier: [u5; 4], // (4) secret_share: [u5; 52], // (52) share_index: u5 or [u5; 52], // (1 or 52) checksum: [u5; 6], // (6)

The total length of the backup is 71 characters if using ‘small’ share indicies (1, 2, …, 32), or bech32m characters if using general scalars for participant indicies.

§Rationale

§Human Readable - (4 bech32 characters)

frost looks cool. Most of the time we will be using this backup scheme for FROST related shamir secret shares.

§Threshold - (2)

A threshold integer between 1 and 1024. Note: a threshold of zero is considered invalid. The threshold is encoded as the value minus one so that 0 cannot be represented which is not a valid threshold.

§Polynomial Identifier - (4)

The first 4 bech32 characters from the SHA256 hash of the polynomial coefficients. This identifier allows determination of secret share compatibility.

It is possible to have two different polynomials that interpolate the same joint-secret, but shares on these different polynomials will not be compatible with one another.

The probability of two polynomials having the same identifier is 1/32^4, about one in a million.

§Secret Share - (52)

A secret share scalar is fixed length scalar of 32 bytes. This is 32 * 8 / 5 = 51.2 -> 52 bech32 characters

§Share Index - (1 or 52)

Can be any scalar, but will often be a small integer for simplicity and smaller backups. By leaving this data piece at the end, we can use the length of the remaining data to easily decode either a single bech32 char into integer, or 52 chars into a 32 byte scalar.

Structs§

Enums§

Functions§

  • decode_backup
    Decode a bech32m secret share backup
  • polynomial_identifier
    Create an identifier that’s used to determine compatibility of shamir secret shares. The first 4 bech32 chars from a hash of the polynomial coefficients. Collision expected once in (32)^4 = 2^20.